Ng 


oO te 


SAFECRACKING: MANIPULATING 
Mechanical COMBINATION 
SAFES 


By Ammon 
CONTENTS 


® Introduction 


@ Part I: Understanding Dial Locks 


O Vocabulary and Function 
O Abbreviations 


O Classification of Dial Locks 
O Dialing Order and Operation 
@ Part II: Dial Lock Weaknesses and 
Failure 
oO Slop 
O Gate Position 
O Wheel Irregularity 
O Third Digit Position 
O HLH and LHL Combination 
Patterns 
® Part III: Your Lock 
O Assessing the Condition of the 
Lock 
O Record Keeping and Accuracy 
O Mind the Gap 
O Determine the Number of 


Combination Digits 


O Lock Problems 


@ Part IV: Getting Digits 


O Slipped Wheels and Guessing the 
Combination 

O Method for Determining a First of 
Three Digits 

O Determining on Which 
Wheel Your FIRST Prospective 
Combination Digit Is Located 

Oo Determining a Second When You 
Have the First Combination Digit 

Oo Determining a Second When You 
Have the Second Combination 
Digit 

Oo Determining a Second When You 
Have the Third Combination Digit 

O Determining a Third Digit of a 
Four-digit Combination 

O Determining the Last Digit 


Part V: Tips and Tricks 
Part VI: Failure! 


Part VII: Success! 
Bonus 


O Resetting the Combination 


O Cracking Home Fire Safes with 
Electronic Locks 


INTRODUCTION 


There are many ways to get into a 
mechanical lock safe. Peeling a safe 
is the process of tearing it apart. Ex- 
plosives, acetylene torches, or thermic 
lances can penetrate the safe. Drilling 
is meant to cause the least external 
damage while opening the safe. Drilling 
may allow access to a punch in order 
to disable the lock, or it may allow the 
use of a scope to “spy” the combination 
without disabling the lock. Radiological 
penetration, one of few nondestructive 
safecracking methods, can allow a safe- 
cracker to see lock operations through 
the safe walls. 


In this e-book I describe the non- 
destructive process of manipulation: 
using touch to determine the combi- 
nation of a mechanical lock. Success- 
ful manipulation of a dial lock deter- 
mines the lock combination without 
any damage to the safe. 


Before anything else, watch the the 
safecracking video of Jeff Sitar (“Jeff 


Sitar - Champion Safe Cracker“). 


Watched it? Good! You're not him. 
You'll never crack a bank vaultin 5 min- 
utes. Your first safe, if it’s in ideal con- 
dition, will take you dozens of hours to 
crack. Safe-cracking requires tenacity. 
If you don’t want to stick with it, then 
you're better off quitting now. 


Still here? Good! 


The purpose of this e-book is to teach 
you about dial combination locks, their 
weaknesses, and how to exploit them. 
YOU are solely responsible for how 
you use this information. I have made 
every attempt to concisely describe the 
process of manipulation you'll need to 
learn to open a locked dial combination 
safe. Yet, you may want to read this 
e-book several times before beginning 
your practice. 


PART I: UNDERSTANDING 
DIAL LOCKS 


In Part I we explore the parts and func- 
tion of dial locks. Until you understand 


the vocabulary and mechanics of safe 
locks, you will find safecracking all but 
impossible. Figure 1 represents the in- 
ternal parts of atypical UL2 dial combi- 
nation lock. 


Apart from the lock itself, most safes 
include a boltwork of some sort. The 
dial lock does not unlock the door, it 
unlocks the boltwork, which are re- 
tracted using the exterior lever or 
wheel. 


Vocabulary and Function 


Bolt (lock bolt): The portion of the me- 
chanical lock that stops the safe door 
handle or wheel from operating the 
main locking bolts on the safe door. 


Boltwork (main locking bolt[s]): The 


mechanical portion of the door, oper- 
ated by the handle or wheel, that physi- 
cally locks the door. 


Cam (drive cam, wheel cam): The por- 
tion of the lock that is fixed to the spin- 


dle and dial, which has a gate for the 
nose to hook into. 


Cam Gate: The portion of the cam that 
receives and catches the nose when the 
fences line up over the wheel gates. 


Change Index: The mark beside the dial 
that indicates which number is being 
dialed during the combination change 
process. Usually the change index mark 
is at roughly 300°, or at 85 when the 
dial is zeroed on the open index. The 
change index is usually a single mark. 


Contact Points: The left and right con- 
tact points are are where the nose 
comes into contact with the respective 
edges of the cam gate. Between these 
points the nose does not touch the cam, 
but the fence does touch the wheels. 
See Figure 2, below. 


Dial: The face of the lock, showing 100 
graduated positions (usually marked 
1-100 or 0-99). Less commonly there 
may be more or less numbers on the 
dial, e.g., 80 or 130. 


Dial Ring: A plate surrounding and be- 
hind the lock dial. The dial ring typi- 
cally has change index and open index 
marks. 


Drilling: The process of putting a hole 
in a safe in order to punch the lock or 
spy the combination. 


Drive Pin: A small protrusion on the 
face of each wheel that contacts the 
wheel fly of the adjacent wheel, causing 
it to turn in time. 


Fence: a small bar resting across the 
tops of the wheels in the wheel pack. 
The fence drops when the gates of each 
wheel are aligned under it. 


Fence Depth: The drop of the fence 
when the nose is in the cam gate (be- 
tween the contact points). The lower 
the fence depth, the smaller the dis- 
tance between the contact points. The 
greater the fence depth, the greater the 
detail may be determined about the 
wheel pack. 


Gate: The gap in each wheel that the 
fence fits into when they are all aligned. 
Also, the gap in the cam that the nose 
fits into. 


Gate Position: The position of the cam 
when the nose is between the contact 


points and the fence is resting on or in 
the wheels. 


Lever: The portion of the lock that con- 
nects the lock bolt with the fence and 
nose. Also, the door handle or wheel. 


Manipulation: The systematic process 
of determining the combination to a 
mechanical dial lock using one’s physi- 
cal senses. 


Nose (lever nose, lever hook): The nose 
is the hook attached to the lock lever 


that grabs the cam gate when the wheel 
gates are aligned under the fence. The 
nose allows the dial to pull the lock bolt 
away from and release the boltwork. 


Open Index: The mark above the dial 
that indicates which number is being 
dialed. Nearly always the open index 
mark is at 0°, or at 85 when the dial is 
zeroed on the open index. The change 
index is usually a single mark. 


Parking: The placement of a wheelin a 
fixed position while other wheels are 
manipulated. 


Peeling: The physical process of tearing 
a safe apart. 


Punching: Punching a safe involves 
drilling a safe and using a punch or rod 
to disable the lock bolt. 


Radiological Penetration: Using x-ray 
technology to see the lock through any 


external metal plating of the safe. 


Relocker: A device that locks the safe 
door when the safe is under attack. Re- 
lockers may be included in the mechan- 
ical lock or be supplemental to the bolt- 
work. 


Slop: The difference in size between 
the fence and the wheel gates, gener- 
ally allowing from +.75% to +1.25% 
dialing error tolerance. For example, if 
the combination is 77-33-55, dialing 
76-33-55 will still open the safe. 


Spindle: The rod connecting the dial on 
the outside of the safe with the cam in- 
side the safe. 


UL1: A lock classification indicating re- 
sistance to manipulation for 20 hours. 
A Group 1 lock as classified by the Un- 
derwriters’ Laboratories. 


ULI1R: A lock classification indicating 
resistance to professional manipula- 
tion for 20 hours and shielding from ra- 
diological penetration. 


UL2: A lock classification indicating re- 
sistance to professional manipulation 
for 2 hours. A Group 2 lock as classified 
by the Underwriters’ Laboratories. 


Wheels*: The independently rotating 
disks of the wheel pack. Each has a 
notch (gate) to receive the fence. The 
first and second wheels have both a 
wheel fly and a drive pin. The third 
wheel has only a wheel fly. (In four- 
wheel locks, the first, second, and 
third wheels are mechanically identi- 
cal, while the fourth wheel has only a 
wheel fly.) 


Wheel Fly: The portion of the wheel 
that contacts and is pushed by a drive 
pin, causing the wheel to turn. 


Wheel Pack: The collection of wheels in 
the dial lock, each representing a digit 
of the lock’s combination. 


*Some people call the wheels in the 
wheel pack “tumblers”. This is just 
stupid. Don’t do it. 


A. Fence (extending behind the nose) 
B. Nose 

C. Nose Lever 

D. Lock Bolt 

E. Relocker (“E” placed over pivot point. 
When the left half is depressed, the 
right half releases the lock bolt 

F. Wheel One 


G. Wheel Gate on Wheel One 

H. Cam Wheel 

I. Cam Gate on Cam/Drive Wheel 

J. Spindle (with keyway visible between 
H-I-J) 


FIGURE 2. The dial is turning clock- 
wise. This view from back of lock 
shows cam moving counterclockwise/ 
anticlockwise. 


B: Left contact 
point. The nose drops slightly 
and the 

fence rests on the 
wheels. This the mo- 
ment just 
A. The cam_ gate approaches 
the nose. before the nose 


leaves contact with the cam. 


Be, 


PCa b eh ive Ky: 


C. right contact point. The cam moved 
under the 
suspended nose until making con- 


tact once again with D. the 
nose is raised by the edge of the cam 
gate, 

the cam _ gate. lifting the 


fence off the wheel pack. 


Abbreviations 


For the purpose of simplifying this text 
and avoiding confusion, I use a number 
of abbreviations. I also assume a three 
digit combination. 


C1: The first digit of the combination, 
as controlled by the first wheel of the 
wheel pack. 


C2: The second digit of the combina- 
tion, as controlled by the second wheel 
of the wheel pack. 


C3: The third digit of the combination, 
as controlled by the third wheel of the 
wheel pack. 


R: Dialing right / turning the dial clock- 
wise (dial numbers descending relative 
to the open index). 


L: Dialing left / turning the dial coun- 
terclockwise/anticlockwise (dial num- 
bers ascending relative to the open 
index). 


W113: The first wheel of the wheel pack, 
which represents the first digit of the 
combination. 


W2: The second wheel of the wheel 
pack, which also represents the second 
digit of the combination. 


W3: The third wheel of the wheel pack, 
which represents the third digit of the 
combination 


Classification of Dial Locks 


Dial locks of the sort used in safes are 
grouped in two categories, Group 1 and 
Group 2. Since the late 19th century, 
Underwriters’ Laboratories has oper- 


ated as a safety science company rating 
safes and safe locks. Basic UL dial lock 
ratings include UL2, UL1, and UL1R 
(see “Vocabulary” for definitions). 


Beginner safe crackers would do well to 
practice on standard UL2 locks, such as 
the Sargent and Greenleaf 6730. 


In order to make manipulation more 
difficult, UL1 locks include features not 
discussed in this e-book, such as false 
gates, rounder wheels, and devices that 
shield the safe cracker from feeling the 
contacts points. 


Dialing Order and Operation 


Our example combination for this e- 
book is 77-33-55, with a gate position 
(wheel cam gate) within 6-13. 


Again, dialing right (R) means turning 
the dial clockwise, and dialing left (L) 
means turning the dial counterclock- 
wise/anticlockwise. 


The most common dialing order is L-R- 
L. The dial is turned four times L, stop- 
ping at the first combination digit of 


77. The dial is then turned R , stopping 
the third time you see 33 at the open 
index (this may not be three full turns). 
Turn the dial L again, stopping the sec- 
ond time you see 55 at the open index 
(this may not be two full turns). Turn 
the dial R until the fence drops into the 
gates (at the gate position). To fully re- 
tract the lock bolt, keep turning the dial 
until it comes to a hard stop (roughly 
5-10 digits past the gate position. The 
safe is now unlocked.. 


Some locks may have R-L-R dialing 
orders. Or in the case of four digit com- 
binations, R-L-R-L or L-R-L-R dialing or- 
ders. Please note that the stopping posi- 
tion of the dial is not considered a digit 
of the combination. Also see Tip #8. 


The interior operation of the lock is 
as follows (assume the dial has been 
turned four fullturns L): 


A. As the dial spins, so do the spin- 
dle and cam. They are in fixed 
position relative to each other. 

B. First rotation R -- The cam turns 
with the dial to the right. No 
wheels turn. 


C. Second rotation -- The second 
rotation includes the W3 with 
the cam. As the cam completes 
its first full rotation R, the cam’s 
drive pin contacts the wheel fly 
on W3 of the wheel pack and 
causes it to begin turning along 
with the cam. 

D. Third rotation -- After the sec- 
ond full rotation, the drive pin 
on W3 will contact the wheel fly 
on W2, which includes W2 in 
the third rotation. 

E. Fourth Rotation -- After W2 
completes its full rotation, the 
drive pin on W2 contacts the 
wheel fly on the W1, bringing 
it into rotation with the other 
wheels. At this point, the entire 
wheel pack is rotating together 
and will continue to do so as 
long as the dial is turned to the 
right. 


The interior operation of the lock as 
you dial the combination 1s as follows: 


A. From the fourth rotation L, as 
the dial continues to turn L, all 


of the wheels in the wheel pack 
are rotating together. When you 
stop on the first combination 
digit, 77, all of the wheels are 
positioned at 77. Since only the 
W1’s gate is at 77 the fence 
won't drop. 

. Turning the dial R first turns 
the cam, then adds W3 and W2 
with subsequent rotations. Stop 
the dial the third time you see C2 
(33) align with the open index. 
You have not yet turned the dial 
far enough to move W1 from its 
position at 77. The gates of W1 
and W2 are now aligned under 
the fence. 

. Turning the dial L moves only 
the cam for the first 360°. You’ve 
seen 55 pass the open index one 
time. The cam then picks up W3 
and rotates until you stop at C3 
(55). Once again, you have not 
continued turning the cam and 
W3 past 720°, so W2 and W1 
have not be moved from posi- 
tion. 

. All three gates are in position 
under the fence, but the lock 


will not open until the nose is 
also over the cam gate (gate posi- 
tion). See Figure 3, below. Turn- 
ing the dial/cam R from its last 
position at 55 leaves the entire 
wheel pack in position. The cam 
continues R until the cam gate 
aligns under the nose (roughly 
at 10, in our case), when the 
fence drops into the gate and 
the nose hooks on the cam. 
There is a distinctive feel as 
this happens. Continuing R ap- 
proximately another 5-10 digits 
past the gate position retracts 
the lock bolt, releasing the main 
locking bolts. The lock will come 
to a hard stop as the lock bolt 
retracts fully. It will turn no 
further to the right since the 
lock bolt is stopped, the nose is 
locked into the cam gate, andthe 
fence is dropped into the gates of 
the wheel pack. 


Turning the dial back to the right at 
least four full turns does the following: 
first, draws the nose out of the cam 
gate: second, moves W3 from its posi- 


tion at 55; next, moves W2 from its po- 
sition at 33, and finally moves W1 from 
its position at 77. The wheel pack has 
been cleared. 


Failing to turn the dial four full turns 
to right after closing the safe will leave 
one or more of the wheels with their 
gates under the fence. A safe cracker 
can feel the positions of the wheel and 
easily devise the remainder of the com- 
bination. Always, always turn the dial 
four full turns after closing your safe. 


Understanding the operation of the 
lock is key to devising the combination 
and to saving time or effort while doing 
SO. 


FIGURE 3. The wheel gates are aligned 
under the fence. This series of photos 
shows the subsequent aligning of the 
cam gate under the nose. Images A-G. 


A. Showing the wheel pack’s gates 
aligned under the B. The 
cam is rotating counterclockwise/anti- 
clockwise, 

fence (hidden behind the upper part of 
the nose). with the cam 
gate approaching the nose. 


C. The nose begins to enter the cam gate 
as the fence 

enters the wheel gates. 

D. The nose continues to enter the cam 
gate. 


E. The nose has fully entered the cam 

gate, as also F. The cam be- 

gins pulling the nose lever, which 

the fence has entered the wheel 

gates. subsequently begins 

pulling the lock bolt left. 
f a ae | 


G. The cam has pulled the nose lever 
and lock bolt 
to the fully retracted position. 


& 


PART II: DIAL LOCK WEAK- 
NESSES AND FAILURE 


It is the goal of the safe cracker to ex- 
ploit the weaknesses of the lock or safe. 
Basic UL2 locks have a number of fea- 
tures that allow a safe cracker to feel 
what happening inside the safe, or to 
shorten the time necessary to manipu- 
late the safe. 


Slop 


Slop is the difference between the 
width of the fence and the width of 
the wheel gate. With a UL2 lock there 
is typically a +1.25% error tolerance. 
This means that if you intended to dial 
your combination of 77-33-55, but in- 
stead you dial 76-32-55, the lock has a 
good possibility of still opening. With a 
gate tolerance of 1.25% on each side of 
the fence, the range of successfully di- 
aled numbers consists of a 2.5 digit gap. 
The safe manipulator no longer has to 
try combinations at single, whole num- 
ber intervals. Rather s/he need only 
try numbers at intervals 2.5, 5, 7.5, 
10, 12.5, etc. A three digit combination 
lock with a 100 digit dial has 1,000,000 
possible combination; however, due to 


slop, there are effectively only 64,000 
possible combinations. 


Some lock models, such as UL1 locks, 
may have an +.75 error tolerance. 


Gate Position 


As the cam rotates the the nose of 
the lever rests (or is held by a spring) 
against the outer surface of the cam 
and the fence is suspended slightly 
above the wheel pack. When the gate 
position rotates under the nose, the 
nose drops slightly allowing the fence 
to rest on the wheel pack for that short 
period of the dial rotation. If our gate 
position is centered at ~10, the fence 
may rest on the wheel pack between 
6 and 13, for example. As the dial is 
turned to the right you can feel the 
nose drop at 13, and “bounce” back 
up 7. ,The left “contact point” is at 7, 
and the right contact point is at 13. In 
this gap you can feel slightly different 
features of the wheel pack, depending 
on the myriad possible relationships 
each wheel may have with the others. 
You can feel these features because the 
fence is resting on the wheel pack. 


Wheel Irregularity 


Each wheel in the wheel pack may have 
slightly different features. An ever-so- 
slight ovalness of a wheel may be per- 
ceptible to the safe cracker. These irreg- 
ularities allow the safe cracker to bet- 
ter understand what’s happening in the 
lock as it’s manipulated. 


Third Digit Position 


Because the cam has a gate position 
around 10, any C3 should not be in the 
gate position. The closer C3 is to 10, 
the more likely the occurrence of in- 
terference. For example, if my C3 is 11 
and my gate position is near 10, I will 
be turning L to my C3 at 11, then I'll 
turn R only one digit before the fence 
drops. If it doesn’t drop, then I’ll con- 
tinue another 360°, but I’ll move the 11 
before I get to the 10. With C3 (11) now 
moved to 10 the fence again may not 
drop. Because of this possible interfer- 
ence, factory combination would not a 
C3 within 10 digits of the gate position. 
In our example, this would preclude a 
C3 gate at numbers 0-20. 


This further reduces the number of 
possible combinations 20% on C3, or 
from 64,000 to roughly 51,200. 


HLH and LHL Combination Patterns 


Factory combination formations have 
other restrictions. In addition to the 
restriction that the third digit not be 
proximal to the gap (mechanical rea- 
soning), strictly ascending or descend- 
ing combinations are not considered 
good practice. Thus, all of the following 
combinations would be proscribed: 


33-55-77 77-55-33 
77-55-10 55-75-20 
25-50-75 30-20-05 
95-10-15 


Again we have a reduction in effectively 
distinct combinations from 51,200 to 
only 22,330. This is merely 2.3% of the 
original 1,000,000 combinations for a 
three wheel lock with a 100 digit dial. 


PART III: YOUR LOCK 


Assessing the Condition of the Lock 


Locks are mechanically simple, al- 
though lack of maintenance and wear 
over time can cause them to malfunc- 
tion. The majority of problems with 
safe locks are caused by friction. 


Individual wheels are designed to ro- 
tate around the spindle without inter- 
ference from the spindle itself. Wheels 
also rotate independently of other 
wheels. An incorrect or degraded lubri- 
cant can cause wheels to seize or stick 
periodically. In addition, wheels may be 
worn through long use or jostle while 
the safe is in transport. If a wheel be- 
gins to lean--causing contact with ad- 
jacent wheel(s) when their respective 
drive pins and wheel flies are not in 
contact--this contact may cause inad- 
vertent movement of wheel position. 


Dirty or malfunctioning dials, spin- 
dles, and/or wheels may also hamper 
the safe cracker’s ability to feel what’s 
going on in the lock. 


Record Keeping and Accuracy 


Good records, careful dialing, and con- 
sistent lighting are key to successful 


manipulation of safe locks. Sloppy dial 
turns can waste time at the best, and 
cause you to miss the combination en- 
tirely at the worst. 


Plan to dial with great consistency 
under uniform lighting. When you dial 
a digit, consider turns in terms of tenths 
of a digit. If you intend to dial 75, but 
dial 74.6 instead, you may have a differ- 
ent result and end with inaccurate in- 
formation. 


Turn the dial as smoothly as you can. 
Smooth dialing allows you to feel the 
features of the cam and wheels better. 


Ensure that your lighting is consistent. 
Changes in natural light at different 
times of day can change how you per- 
ceive the tenths of each digit on the dial 
(see tip #6, below). This slight change 
in perception due to changing light can 
affect your knowledge of changes in 
contact points. 


During the systematic process of de- 
termining your safe’s combination, you 
will record contact point data (edges of 
the gate position) for each number or 
combination that you dial. This is most 


commonly recorded in graph from. I 
suggest using a sheet of graph paper in 
landscape orientation. The horizontal 
length of the paper (X axis) will repre- 
sent the combinations dialed (0, 2.5, 5, 
7.5, 10, 12.5, 15, etc.), and the vertical 
or Y axis will represent the gate area in 
tenths of a digit. Using the lines of the 
graph paper as fourths of a digit, and 
marking points on or in between the 
lines may work for you. See Figure 4, 
below. 


FIGURE 4. The author’s prefered 
record, a half-sheet-sized note pad 
and clipboard. X-axis in five-digit in- 
crements (data also recorded between 
these points). The upper half of the 
sheet is the right contact point (11-12.7 
in 1/10th digit increments), and the 
lower half the left contact point 
(5.5-7.5 in 1/10th digit increments). 


Mind the Gap 


Your first job is to determine the gate 
position. This is often around 6-8 digits 
wide and located in the dial range of 
about 85 to 15. Standard UL2 Sargent & 
Greenleaf locks often have the gate po- 
sition at about 6-12 (left and right con- 
tact points, respectively). 


A good way to find the gate position 
is to turn all wheels to 50 (four or 
five turns left, for our example). Then 
slowly turn the dial to the right. This 
allows you to turn the cam wheel with- 
out interference of the wheel pack. As 
you pass through the expected cam 
gate range, try to feel the contact points 
“drop” and “pop.” On some locks locat- 


ing this gate range is an obvious and 
easy task. On other locks, this may be a 
difficult nonetheless essential task. 


Note the location of the gate position. 
You'll be returning here often. 


Determine the Number of Combina- 
tion Digits 


Your next job is to determine the num- 
ber of digits in your lock’s combination. 


You may begin either direction, but for 
our example we will turn the dial five 
full turns L (five because of the pos- 
sibility of a four-digit combination). 
Stop with the number 50 at the open 
index. Next, slowly turn R. Recall that 
you have left all of the wheels in the 
wheel pack at 50. With the completion 
of each full turn, as you pass the num- 
ber 50, you should feel the cam wheel 
“pick up” each additional wheel. Pick- 
ing up wheels causes a slightly “heav- 
ier” feel in the dial. You may possibly 
hear a click as each drive pin contacts 
the wheel fly of each successive wheel, 
although I find this is usually not the 


case. Your refined sense of touch should 
tell you all you need to know. 


Each full turn, with each additional 
“heaviness” added to the wheel, repre- 
sents one digit of the combination. A 
three digit combination will feel addi- 
tional resistance in the dial with the 
end of the first, second, and third full 
dial turns. A fourth, fifth, etc. will have 
no effect on how the dial feels. A four 
digit combination will feel additional 
resistance at the end of the fourth full 
dial turn, but not the fifth, sixth, etc. 


Lock Problems 


In your attempt to assess the qualities 
of your safe lock, you may find certain 
inhibiting factors: heavy friction, inter- 
nal malfunction, or bent spindle. Some 
of these problems are impossible to re- 
mediate. 


It’s nearly impossible to clean the wheel 
pack when the safe is closed and locked; 
however, if dirt or grime is behind the 
dial or on the outer parts of the spindle, 
you may be able to clean it. One way 
to clean the dial and spindle is to use a 


small, flexible syringe nipples with sol- 
vents to free up friction on the dial or 
spindle. Different lock and dial designs 
may inhibit cleaning. 


If wheels in the wheel pack are stuck, or 
contacting each other, you may not be 
able to determine the number of wheels 
in the wheel pack, thereby finding the 
number of digits in the combination. 
Spinning the dial hard, warming the 
dial/lock up, or just give the lock some 
use (continued left/right rotations), 
may free up the wheels. Spinning the 
dial too hard, however, may cause addi- 
tional problems. 


A bent spindle may incapacitate your 
manipulation efforts entirely by caus- 
ing the wheel pack to wobble as the dial 
turns. This may occur whether or not 
you're turning any of the wheels in the 
wheel pack. If the spindle is bent, you 
may feel consistent friction on one side 
of the dial with every turn. You may 
also see the dial wobble as you turn it. 


NEVER, EVER mess with the dial by hit- 
ting it, banging it, or prying on it. Doing 
so may turn your safe to scrap metal. 


PART IV: GETTING DIGITS 


By this point you should already have 
located the gate position and deter- 
mined the number wheels. 


Slipped Wheels and Guessing the 
Combination 


If you have no idea what the combi- 
nation to the safe could possibly be, 
then you can skip this section. If you 
knew the combination, but it no longer 
works; or you know the person who 
originated the combination, then read 
on. 


Your combination no longer works. On 
locks that can have the combination 
changed, a wheel may have slipped 
from one position to another adjacent 
position due to an overly rigorous turn 
of the dial. For example, if your combi- 
nation was 77-33-55, and the 55 may 
have slipped to 53. Thus dialing a 55 
would not open the lock. The final digit 
of the combination is the most likely 
to have slipped, so begin by trying 


proximal combinations: 77-33.-53 and 
77-33-57. You may try adjacent combi- 
nation numberds on wheels three and 
two, but change only one digit at a time. 


If you knew the person who originated 
the combination, you may try num- 
bers associated with this person, such 
as birthdays, anniversaries, and impor- 
tant family dates. People often use dig- 
its familiar to them or that are easy to 
remember. An educated guess can goa 
long way. About 20% of safes cracked 
by the author have such combinations 
(e.g. 33-66-33, 75-25-50, 22-11-63, 
etc.) 


Method for Determining a First of 
Three Digits 


Remember the slop. That’s going to 
save you a lot of time! So will accurate 
dialing and record keeping. 


For this tutorial, we’re going to as- 
sume the gate position is roughly at 6 
to 12, as is common with many S&G 
UL2 locks. Begin by turning L four full 
turns. Continue to and stop at O. All 
three wheels are at O. Turn R to the gate 


position at 10. This is a turn of only 
90 digits, NOT a full turn. Move the 
dial back and forth carefully in the gate 
position. Measure contact points in the 
gate position (e.g.,6.5 and 12.1). Record 
this on your tracking sheet (See Figure 
4). 


Turn L from the gate position to 2.5, 
which will move all three wheels from 
O to 2.5. Again turn R to the gate po- 
sition at 10. Measure the gap in the 
left and right contact points. Record the 
contact points. 


Turn L to 5, which will again move all 
three wheels from 2.5 to 5. Turn R to 
the gate position and measure the gap 
in the contact points. Record the data. 


Testing 7.5 may get trickier. When 
checking digits in the gate position, 
you may have to get creative. In this 
case you may turn R to ~6 and record 
only the left contact point, then con- 
tinue R nearly a full turn until you get 
to 10, where you can then record the 
right contact point at ~12. Just be sure 
not to pass a 360° turn R from 7.5, or 
you ll move W3 from its position at 7.5. 


You can repeat this tricky process when 
testing 10, and possibly 12.5. Just be 
sure to record as much data and as ac- 
curately as you can. 


Continue at intervals of 2.5 by testing 
12.5,15,17.5,...92.5,95,and 97.5. 


As you review your data, you're look- 
ing for a point or points in the se- 
ries of tests where the gap between the 
left and right contact points becomes 
smaller. This happens when the wheel 
gate of the largest (or most raised) 
wheel is under the fence. This allows 
the fence to rest slightly lower than 
adjacent numbers while the nose is 
“hanging” in the cam wheel gate. When 
the fence is lower, the nose contacts the 
left and right portions of the cam wheel 
gate slightly sooner, making the mea- 
sured gap smaller. 


You may also be lucky enough to note 
two or more points in your data that 
may indicate wheel gate positions. 


This does not, however, tell you the 
precise combination digit, nor which 
wheel is causing this change. 


To narrow down from a range to a sin- 
gle combination digit, repeat the above 
test with every digit in the prospective 
combination digit area. In our exam- 
ple, we have a narrow measurement at 
77.5 and 80. You should test every digit 
around 73-83 or so. Again, the narrow- 
est gap measurement is likely where 
the combination digit is located. 


Determining on Which Wheel Your 
FIRST Prospective Combination Digit 
Is Located 


Ok, now you have a prospective com- 
bination digit of 77. You don’t know 
which wheel this combination digit 
represents, so you'll dial the following 
combinations and measure the gate po- 
sition after each one. We get the num- 
ber 67 by taking 77 minus 10. We get 
the 87 by taking 77 plus 10. A ten digit 
difference should allow sufficient vari- 
ation in measurement to determine 
further information. 


Figure 5. Testing to determine which 
wheel has a potential gate situated 
under the fence. 


Combination Left Right Contact Point 
(W1-W2-W3) | Contact Point | Contact Point Spacing 


> fs 
ra 


Remember that in our first test we 
were placing ALL of the wheels in the 
wheel pack at a given number. And our 
test determined that we had a possi- 
ble combination digit when ALL of the 
wheels were at position 77. By leaving 
all but one (two out of three) of the 
wheels in the position at 77, and chang- 
ing a third, we can see if there is a mea- 
surement change from what we found 
with our first test measurement with 
all wheels at 77. By testing a variation 
both above and below 77 (67 and 87) 
we can double check our data. 


As we see in Figure 5, when W1 is 
changed to 67 or 87, there is a notable 
increase in the measurement between 
the left and right contact points. By this 
we know that the gate of W1 1s at 77. 


Determining a Second When You 
Have the First Combination Digit 


Continuing our example from the pre- 
vious section, we assume we have the 
first combination digit of 77. By care- 
fully leaving the third while (first com- 
bination digit) in place, we can change 
the position of the other wheels and 
measure the contact points. This can 
potentially save the manipulator hun- 
dreds of turns of the dial. 


Leave the first digit in at 77, and 
move the other wheels to O, 2.5, 5, 
7.5, etc. Carefully record your measure- 
ments. As you find an additional wheel 
gate position on wheel one or two, fol- 
low the previous process of narrowing 
down the possible gate position to a 
specific digit. In our case, this is 34. 


Now, repeat the test to determine 
which wheel has a gate at 34 by dialing 
the following: 


77-34-44 

77-44-34 

77-34-24 

77-24-34 

Again, when the second or third digit is 
moved from its position at 34, the mea- 
surement between the contact points 
will widen. You know then that the 
moved wheel is where the 34 belongs. 
In our example, this is on wheel one 
(the third combination digit). 


Determining a Second When You 
Have the Second Combination Digit 


If you have the second digit of a three 
digit combination you will need to dial 
all three wheels in a similar pattern to 
the previous section. For our example, 
let's assume that we know the second 
digit is 34, but do not know the first or 
the last digits. 


Begin your test by dialing 00-34-00, 
followed by 02.5-34-02.5, 05-34-05, 


etc. Each time being sure to dial care- 


fully and record your data equally care- 
fully. 


Once you have a prospective digit, re- 
peat the test previously described pat- 
tern to find which wheel your prospec- 
tive combination digit is on. 


Determining a Second When You 
Have the Third Combination Digit 


For this example, let's assume you 
only know the final combination digit, 
and it is 55. As in the previous sec- 
tion, you will need to use three digit 
test combinations as follows: 00-00-55, 
O2.5-02.5-55, 05-05-55, etc. 


Again, use the test to determine which 
wheel a prospective combination digit 
may be on. In our example let's assume 
we've found a second digit at 34, you 
would use the following test combina- 
tions: 


24-34-55 
34-24-55 
44-34-55 
34-44-55 


Determining a Third Digit of a Four- 
digit Combination 


You would use the same pattern as pre- 
viously described for finding additional 
digits, even if the combination is 4 or 
even 5 digits long. 


Determining the Last Digit 


Use a brute force attack. You know two 
of the three combination digits, and 
which wheels they are on, so you only 
have 40 possible combinations to test. 
I generally like to test every two digits, 
rather than every 2.5, just to increase 
my error tolerance. For example, I may 
be off by one digit on the combination 
digits I assume I have. By dialing the 
unknown digit off by 0.25% may cause 
the lock to not open. And by moving 
from a 2.5 digit interval to 2 digit inter- 
val only increases the number of com- 
binations to test by 10, from 40 to 50. 


PART V: TIPS AND TRICKS 


Tip #1: The better you understand 
how locks function, the more time and 
effort you can save. Always be aware of 
which wheels are where, and which are 
moving at any given time. 


Tip #2: If you succeeded in opening 
your safe or changing your combina- 
tion, always test your combination sev- 
eral times with the door open! You can 
easily lock the door open by turning the 
dial left, and extending the door bolts 
with the door handle. Be careful not to 
try closing the door with the bolts ex- 
tended! You may inadvertently damage 
your safe. When testing your combi- 
nation, try adjusting each combination 
digit one at a time. Finding where your 
combination no longer works will give 
you the center of the wheel gate. For ex- 
ample, you think your combination is 
77-34-55: 


78-34-55 - works 
76-34-55 - works 
75-34-55 - doesn't work 
79-34-55 - doesn't work 


You have confirmed the first digit is 77. 


77-35-55 - doesn't work 
77-33-55 - works 
77-32-55 - works 
77-31-55 - doesn't work 


You have discovered your second digit 
is actually 33, not 34 as you first 
thought. 


77-33-56 - works 
77-33-57 - doesn't work 
77-33-54 - works 
7 7-33-53 - doesn't work 


You have confirmed the final digit is 55. 


Tip #3: You may think you have a com- 
bination digit correct, but only be at 
a point in the wheel pack where the 
fence depth is greater (or in a false 
gate). That’s fine; the greater the fence 
depth, the more information you can 
get. Park the wheel at its greatest depth 


and retest the other wheels. You may 
progress in stages as you increase the 
fence depth. 


Tip #3: If you're lucky enough to get Cl 
and C2 before C3, testing for the last 
should only take a matter of a few min- 
utes. 


You don't need to redial full combina- 
tions each time as you brute force test 
for the final digit. Just leave W1 and W2 
in place (park them) while turning back 
and forth between your various C3 test 
digits (on W3) and the gate. When you 
hit the right digit (or close), the fence 
will drop. 


Tip #4: As with tip #3, if you know only 
the first digit, you can test the last two 
digits by parking W1. This takes a bit 
more practice and careful attention to 
what’s happening inside the lock. 


Tip #5: Depending on your safe and 
lock designs, putting pressure on the 
door handle or wheel may transfer 
pressure through the lock bolt and 
press the nose to the wheel cam (or 
fence to the wheel pack). As long as 
you do it consistently, this may en- 


hance your ability to measure changes 
in the gap between the contact points. 
If you do it inconsistently, some your 
measurements will certainly be off, and 
you'll have to start over. 


Tip #6: You may come up with your 
own system depending on the dial 
you're working with, but I don't actu- 
ally divide the the space between each 
digit mark on the dial into equal tenths. 
I use approximations based on the vis- 
ual relationship between the dial digit 
mark and the open index mark. For ex- 
ample, if my left contact point is some- 
where between dial numbers 6 and 7 
and my right contact point is between 
11.4 and 12.6: 


6.0 - The digit mark and open index 
mark are in direct vertical alignment 
6.1 - The digit mark is slightly mis- 
aligned to the right of the open index 
mark 

6.25 - The left edge of the digit mark 
is aligned with the center of the open 
index mark 

6.3 - The digit mark 1s still overlapping 
the open index mark, but just barely 


6.5 - The open index mark is perfectly 
aligned between digits 6 and 7. 

6.7 - The open index mark is just barely 
overlapping onto the left side of the 7. 
6.75 - The left side of the 7 is aligned 
with the center of the open index mark 
6.9 - The 7 is nearly fully aligned with 
the open index mark. 


11.3. - The digit mark is still over- 
lapping the open index mark, but just 
barely 

11.4 - The open index mark is just 
barely off center. 

11.5 - The open index mark is perfectly 
aligned between digits 6 and 7. 


11.6 - The open index mark is just 
barely off center 
11.7 - The open index mark is just 


barely overlapping onto the left side of 
the 7. 

11.75 - The left side of the 7 is aligned 
with the center of the open index mark 
11.9 - The 71s nearly fully aligned with 
the open index mark. 

12.0 - The digit mark and open index 
mark are in direct vertical alignment 
12.1 - The digit mark is slightly mis- 


aligned to the right of the open index 
mark 

12.25 - The left edge of the digit mark 
is aligned with the center of the open 
index mark 

12.3. - The digit mark is still over- 
lapping the open index mark, but just 
barely 


This kind of system allows you to easily 
perceive discrete differences in contact 
point measurements without being 
constrained by precise 1/10th sections 
of dial digits. 


Tip #7: Using a stethoscope may help; 
however, if your lock makes noise, 
it's probably enough contact to feel 
through the dial to start with. You can 
get a cheap mechanic's stethoscope at 
many auto parts stores. 


If you want to read a bunch of 
crap about using a stethoscope to 
crack a safe, read the WikiHow on 
safecracking. I suspect is was put there 
by a trained safe technician to screw 
with people by playing on their Holly- 
wood perceptions of safecracking. 


Tip #8: When you understand the op- 
eration of the wheel pack, you'll realize 
that the combination may be manipu- 
lated both L-R-L and R-L-R. The fence 
will drop when the nose enters the gate 
position, but the lock bolt can only be 
retracted by dialing a single direction-- 
usually R. Dialing a combination back- 
wards will require a switch in dlial- 
ing direction once the gate position is 
reached. Depending on the lock design, 
the L-R-L and R-L-R combinations may 
be slightly different. 

Tip #9: When the fence is over one of 
the gates, and the nose drops slightly 
lower in the cam gate, the right contact 
point will show a more marked differ- 
ence than will the left contact point. 
Unfortunately, the right contact point 
is also more difficult to measure ac- 
curately. This phenomenon is due to 
the sloped nature of the right contact 
point. Thus, you should be the most 
careful in measuring the right contact 


point. 


PART VI: FAILURE! 


You may consider quitting after many 
hours without success. If, however, you 
have made progress in fence depth, 
a shortening in the distance between 
contact points, then you will eventually 
succeed. See Tip #3. Park the wheel or 
wheels you know are “low” and retest 
the other(s). Be tenacious, be persis- 


tent! 


After great effort, if you still have had 
zero success in determining the contact 
points, or in increasing fence depth, 
then you may have a more complicated 
lock. Some locks, including some UL2 
locks use mechanisms to hide the de- 
tails of the wheel pack. At this point, 
you may have a lock that cannot be ma- 


nipulated, let alone by a beginner. 


PART VII: SUCCESS! 


Congratulations on cracking your safe! 
That feeling when the fence drops into 
the gates for the first time... 


Wow! Right?! 


And thank you for buying my e-book. 
I'd love to hear about your success 
stories! Or did you have trouble un- 
derstanding part of my e-book? Have 
some constructive feedback? I want to 
hear from you; please share with me at 


ammonymous@gmail.com. 


BONUS 


Here’s a little extra information that 
may come in handy 


Resetting the Combination 


You don't need a safe technician or 
locksmith to reset your safe combina- 
tion for you. If you're mechanically in- 
clined, you may not even need a lock 
change key. 


If you do have a key (the right key for 
your lock), this is how you change your 
combination: 


1) Open your safe. 

2) With your safe door open, lock it and 
dial your combination on the change 
index mark, not on the open index 
mark. 

3) Insert the correct combination 
change key in the back of your lock. 
Using the wrong key can foul up your 
lock. 

4) Turn the dial four full turns and 
begin dialing your new combination 

5) Remove the key. 

6) Test your combination (on the open 
index) several times. Also, see Tip #2, 
above. 


Alternately, you may physically dis- 
mantle your lock and reassemble it 
with a new combination. If your lock 
has a change key hole (back plate of the 
lock), the wheels of your lock will con- 
sist of inner and outer rings. By chang- 
ing the orientation of these inner and 
outer rings you can change the lock 
combination. 


ONLY do this if you are very mechani- 
cally inclined. Also, see Tip #2. 


BONUS: Cracking Home Fire Safes 
with Electronic Locks 


Walmart, Office Depot, Lowes, and 
other big box stores often sell home fire 
safes with electronic locks. Obviously, 
fire safes are intended to guard against 
fires not burglars, making many of 
these safes extremely easy to crack. The 
better you know the safe, the easier 
cracking it will be. Most electronic locks 
will fail for two reasons: the battery is 
dead or the battery is dead. (Sometimes 
the internal working get bound up a 
bit, so you just need to wiggle the door 
handle a little.) Because of the constant 
threat of a dead battery, electronic safes 
always have a backup access method. 
Sometimes the batteries are included 
on the exterior of the safe, but more 
commonly the safe can be unlocked 
with a tube key. Tube lock picks are 
easy to purchase, although some safes 
use extra deep tube locks that normal 
tube lock picks won't work on. 


But don't worry, it's easier than that. 


The basic principle of electronic safe 
locks is the same as mechanical dial 
locks: the lock merely stops the handle 
from turning the door lock bolts. In the 
case of a mechanical dial lock, a lock 
bolt blocks the door lever's operation. 
In the case of an electronic lock, the 
correct combination entered into the 
keypad powers a solenoid. The solenoid 
uses electromagnetic forces to draw a 
locking pin back, thus allowing the 
door handle to operate the door locking 
bolts. Locking pins may use gravity to 
stay in the locked position, or the more 
likely scenario is that a light spring 
holds the pin in the locked position. In 
either case you can use gravity to defeat 
the locking pin. 


In the unlikely case a spring is not used 
on the locking pin, gravity is used to 
hold the spring down in the locked po- 
sition. The solenoid pulls the pin up to 
open the safe. Just turn the safe upside 
down and it will open. 


In the much more likely case that a 
retaining spring is used on the lock- 


ing pin, the spring will probably hold 
the pin up in the locked position. The 
purpose of this is so the solenoid will 
be gravity assisted in pulling the pin 
down and out of the way of the door 
bolt mechanisms. Using gravity to as- 
sist the solenoid in drawing the pin 
down against its retaining spring saves 
battery power and increases reliabil- 
ity. However, this also makes defeating 
that electronic lock easier. Here's how: 


Place the safe on a hard surface (not 
carpet). Tilt the safe back so the front 
of the safe is 3-6 inches off the floor. 
Let the safe fall to the floor. In the 
instant the safe hits the floor (or the 
millisecond after), the locking pin will 
continue its downward motion against 
the retaining spring, thereby unlocking 
the safe for a split second before the re- 
taining spring pops the pin back into 
the locked position. 


If you can time it during that millisec- 
ond after the safe drops to the floor, 
turn the door handle and the safe will 
open. 


Once open, it's easy to replace the batter 
or change the electronic combination. 
Simply search the instructions for your 
model online. 


